transparent bridging support for authentication …...transparent bridging support for...

10
Transparent Bridging Support for Authentication Proxy The Transparent Bridging Support for Authentication Proxy feature allows network administrators to configure transparent authentication proxy on existing networks without having to reconfigure the statically defined IP addresses of their network-connected devices. The result is that security policies are dynamically authenticated and authorized on a per user basis, which eliminates the tedious and costly overhead required to renumber devices on the trusted network. Authentication proxy rules on bridged interfaces can coexist with router interfaces on the same device, whenever applicable, which allows administrators to deploy different authentication proxy rules on bridged and routed domains. Finding Feature Information, page 1 Restrictions for Transparent Bridging Support for Authentication Proxy, page 2 Information About Transparent Bridging Support for Authentication Proxy, page 2 How to Configure Transparent Authentication Proxy, page 2 Configuration Examples for Transparent Authentication Proxy, page 3 Additional References, page 7 Feature Information for Transparent Authentication Proxy, page 8 Finding Feature Information Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required. Authentication Proxy Configuration Guide, Cisco IOS Release 15M&T 1

Upload: others

Post on 23-Aug-2020

7 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Transparent Bridging Support for Authentication …...Transparent Bridging Support for Authentication Proxy Feature Information for Transparent Authentication Proxy Authentication

Transparent Bridging Support for AuthenticationProxy

The Transparent Bridging Support for Authentication Proxy feature allows network administrators to configuretransparent authentication proxy on existing networks without having to reconfigure the statically definedIP addresses of their network-connected devices. The result is that security policies are dynamicallyauthenticated and authorized on a per user basis, which eliminates the tedious and costly overhead requiredto renumber devices on the trusted network.

Authentication proxy rules on bridged interfaces can coexist with router interfaces on the same device,whenever applicable, which allows administrators to deploy different authentication proxy rules on bridgedand routed domains.

• Finding Feature Information, page 1

• Restrictions for Transparent Bridging Support for Authentication Proxy, page 2

• Information About Transparent Bridging Support for Authentication Proxy, page 2

• How to Configure Transparent Authentication Proxy, page 2

• Configuration Examples for Transparent Authentication Proxy, page 3

• Additional References, page 7

• Feature Information for Transparent Authentication Proxy, page 8

Finding Feature InformationYour software release may not support all the features documented in this module. For the latest caveats andfeature information, see Bug Search Tool and the release notes for your platform and software release. Tofind information about the features documented in this module, and to see a list of the releases in which eachfeature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support.To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Authentication Proxy Configuration Guide, Cisco IOS Release 15M&T 1

Page 2: Transparent Bridging Support for Authentication …...Transparent Bridging Support for Authentication Proxy Feature Information for Transparent Authentication Proxy Authentication

Restrictions for Transparent Bridging Support for AuthenticationProxy

Authentication Proxy is not supported on vLAN trunk interfaces that are configured in a bridge group.

Information About Transparent Bridging Support forAuthentication Proxy

Authentication proxy provides dynamic, per-user authentication and authorization of network access connectionsto enforce security policies. Typically, authentication proxy is a Layer 3 functionality that is configured onrouted interfaces with different networks and IP subnets on each interface.

Integrating authentication proxy with transparent bridging enables network administrators to deployauthentication proxy on an existing network without impacting the existing network configuration and IPaddress assignments of the hosts on the network.

Transparent Bridging OverviewIf configured for bridging, a Cisco IOS device can bridge any number of interfaces. The device can completebasic bridging tasks such as learning MAC addresses on ports to restrict collision domains and runningSpanning Tree Protocol (STP) to prevent looping in the topology.

Within bridging, a user can configure Integrated Routed Bridging (IRB), which allows a device to bridge onsome interfaces while a Layer 3 Bridged Virtual Interface (BVI) is presented for routing. The bridge candetermine whether the packet is to be bridged or routed on the basis of the destination of the Layer 2 or Layer3 IP address in the packet. Configured with an IP address, the BVI can manage the device even if no interfaceis configured for routing.

How to Configure Transparent Authentication ProxyTo configure authentication proxy on bridged interfaces, you must configure the interface in a bridge groupand apply an authentication proxy rule on the interface. You must also set up and configure the authentication,authorization, and accounting (AAA) server (Cisco ACS) for authentication proxy. For examples on how toconfigure authentication proxy on a bridged interface, see the section, Configuration Examples for TransparentAuthentication Proxy.

Authentication Proxy Configuration Guide, Cisco IOS Release 15M&T2

Transparent Bridging Support for Authentication ProxyRestrictions for Transparent Bridging Support for Authentication Proxy

Page 3: Transparent Bridging Support for Authentication …...Transparent Bridging Support for Authentication Proxy Feature Information for Transparent Authentication Proxy Authentication

Configuration Examples for Transparent Authentication Proxy

Authentication Proxy in Transparent Bridge Mode ExampleThe following example (see the figure below) shows how to configure authentication proxy in a transparentbridged environment in which network users (that is, hosts on the bridged interface FastEthernet 5/0) arechallenged for user credentials before being given access to protected resources.

Figure 1: Authentication Proxy in Transparent Bridging Mode: Sample Topology

aaa new-model!aaa authentication login default group radiusaaa authorization auth-proxy default group radiusaaa accounting auth-proxy default start-stop group radius!no ip routing!!no ip cef!ip auth-proxy name AuthRule http inactivity-time 60!interface FastEthernet5/0ip address 10.0.0.2 255.255.255.0ip auth-proxy AuthRuleip access-group 100 inno ip route-cacheduplex autospeed autobridge-group 1!interface FastEthernet5/1no ip addressno ip route-cacheduplex autospeed autobridge-group 1

Authentication Proxy Configuration Guide, Cisco IOS Release 15M&T 3

Transparent Bridging Support for Authentication ProxyConfiguration Examples for Transparent Authentication Proxy

Page 4: Transparent Bridging Support for Authentication …...Transparent Bridging Support for Authentication Proxy Feature Information for Transparent Authentication Proxy Authentication

!ip http serverip http secure-server!radius-server host 10.0.0.5 auth-port 1645 acct-port 1646radius-server key cisco!bridge 1 protocol ieee!Router# show ip auth-proxy cacheAuthentication Proxy CacheClient Name AuthRule, Client IP 10.0.0.1, Port 1100,

timeout 60, Time Remaining 60, state ESTAB

Authentication Proxy in Concurrent Route Bridge Mode ExampleConcurrent routing and bridging configuration mode allows routing and bridging to occur in the same router;however, the given protocol is not switched between the two domains. Instead, routed traffic is confined tothe routed interfaces and bridged traffic is confined to the bridged interfaces.

The following example (see the figure below) shows how to configure authentication proxy in a concurrentrouting and bridging environment in which network users (that is, hosts on the bridged interface FastEthernet5/0) are challenged for user credentials before being given access to protected resources.

Figure 2: Authentication Proxy in Concurrent Route Bridge Mode: Sample Topology

aaa new-model!aaa authentication login default group radiusaaa authorization auth-proxy default group radiusaaa accounting auth-proxy default start-stop group radiusb!ip cef!

Authentication Proxy Configuration Guide, Cisco IOS Release 15M&T4

Transparent Bridging Support for Authentication ProxyAuthentication Proxy in Concurrent Route Bridge Mode Example

Page 5: Transparent Bridging Support for Authentication …...Transparent Bridging Support for Authentication Proxy Feature Information for Transparent Authentication Proxy Authentication

bridge crb!ip auth-proxy name AuthRule http inactivity-time 60!interface FastEthernet5/0ip address 10.0.0.2 255.255.255.0ip auth-proxy AuthRuleip access-group 100 inno ip route-cacheduplex autospeed autobridge-group 1!interface FastEthernet5/1no ip addressno ip route-cacheduplex autospeed autobridge-group 1!ip http serverip http secure-server!radius-server host 10.0.0.5 auth-port 1645 acct-port 1646radius-server key cisco!bridge 1 protocol ieee!Router# show ip auth-proxy cacheAuthentication Proxy CacheClient Name AuthRule, Client IP 10.0.0.1, Port 1145,

timeout 60, Time Remaining 60, state ESTAB

Authentication Proxy in Integrated Route Bridge Mode ExampleIn an integrated routing and bridging environment, a bridged network is interconnected with a router network.Both routing and bridging can occur in the same router with connectivity between routed and bridged domains.

Authentication Proxy Configuration Guide, Cisco IOS Release 15M&T 5

Transparent Bridging Support for Authentication ProxyAuthentication Proxy in Integrated Route Bridge Mode Example

Page 6: Transparent Bridging Support for Authentication …...Transparent Bridging Support for Authentication Proxy Feature Information for Transparent Authentication Proxy Authentication

The following example (see the figure below) shows how to configure authentication proxy in an integratedrouting and bridging environment in which network users (that is, hosts on the bridged interface FastEthernet5/0) are challenged for user credentials before being given access to protected resources.

Figure 3: Authentication Proxy in Integrated Route Bridge Mode: Sample Topology

!aaa new-model!aaa authentication login default group radiusaaa authorization auth-proxy default group radiusaaa accounting auth-proxy default start-stop group radius!ip cef!ip auth-proxy name AuthRule http inactivity-time 60!bridge irb!interface FastEthernet3/0no ip addressduplex halfbridge-group 1!interface FastEthernet5/0no ip addressip auth-proxy AuthRuleip access-group 100 induplex autospeed autobridge-group 1!interface FastEthernet5/1no ip addressduplex autospeed autobridge-group 1!interface BVI1ip address 10.0.0.25 255.255.255.0!!ip route 11.0.0.0 255.255.255.0 10.0.0.7!

Authentication Proxy Configuration Guide, Cisco IOS Release 15M&T6

Transparent Bridging Support for Authentication ProxyAuthentication Proxy in Integrated Route Bridge Mode Example

Page 7: Transparent Bridging Support for Authentication …...Transparent Bridging Support for Authentication Proxy Feature Information for Transparent Authentication Proxy Authentication

ip http serverip http secure-server!radius-server host 11.0.0.5 auth-port 1645 acct-port 1646radius-server key cisco!bridge 1 protocol ieeebridge 1 route ip!Router# show ip auth-proxy cacheAuthentication Proxy CacheClient Name AuthRule, Client IP 10.0.0.1, Port 1100,

timeout 60, Time Remaining 60, state ESTAB

Additional ReferencesThe following sections provide references related to the Transparent Bridging Support for AuthenticationProxy feature.

Related Documents

Document TitleRelated Topic

Cisco IOS Security Command ReferenceAuthentication proxy commands

Cisco IOS Bridging Command ReferenceBridging commands

Standards

TitleStandard

--None

MIBs

MIBs LinkMIB

To locate and downloadMIBs for selected platforms,Cisco IOS releases, and feature sets, use Cisco MIBLocator found at the following URL:

http://www.cisco.com/go/mibs

None

RFCs

TitleRFC

--None

Authentication Proxy Configuration Guide, Cisco IOS Release 15M&T 7

Transparent Bridging Support for Authentication ProxyAdditional References

Page 8: Transparent Bridging Support for Authentication …...Transparent Bridging Support for Authentication Proxy Feature Information for Transparent Authentication Proxy Authentication

Technical Assistance

LinkDescription

http://www.cisco.com/techsupportThe Cisco Support website provides extensive onlineresources, including documentation and tools fortroubleshooting and resolving technical issues withCisco products and technologies.

To receive security and technical information aboutyour products, you can subscribe to various services,such as the Product Alert Tool (accessed from FieldNotices), the Cisco Technical Services Newsletter,and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support websiterequires a Cisco.com user ID and password.

Feature Information for Transparent Authentication ProxyThe following table provides release information about the feature or features described in this module. Thistable lists only the software release that introduced support for a given feature in a given software releasetrain. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support.To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Authentication Proxy Configuration Guide, Cisco IOS Release 15M&T8

Transparent Bridging Support for Authentication ProxyFeature Information for Transparent Authentication Proxy

Page 9: Transparent Bridging Support for Authentication …...Transparent Bridging Support for Authentication Proxy Feature Information for Transparent Authentication Proxy Authentication

Table 1: Feature Information for Transparent Authentication Proxy

Feature InformationReleasesFeature Name

The Transparent Bridging Supportfor Authentication Proxy featureallows network administrators toconfigure transparentauthentication proxy on existingnetworks without having toreconfigure the statically definedIP addresses of theirnetwork-connected devices. Theresult is that security policies aredynamically authenticated andauthorized on a per user basis,which eliminates the tedious andcostly overhead required torenumber devices on the trustednetwork.

Authentication proxy rules onbridged interfaces can coexist withrouter interfaces on the samedevice, whenever applicable, whichallows administrators to deploydifferent authentication proxy ruleson bridged and routed domains.

This feature was introduced inCisco IOS Release 12.4(15)T.

12.4(15)TTransparent Bridging Support forAuthentication Proxy

Authentication Proxy Configuration Guide, Cisco IOS Release 15M&T 9

Transparent Bridging Support for Authentication ProxyFeature Information for Transparent Authentication Proxy

Page 10: Transparent Bridging Support for Authentication …...Transparent Bridging Support for Authentication Proxy Feature Information for Transparent Authentication Proxy Authentication

Authentication Proxy Configuration Guide, Cisco IOS Release 15M&T10

Transparent Bridging Support for Authentication ProxyFeature Information for Transparent Authentication Proxy